V-270255

Discussion

When application accounts are modified, user accessibility is affected. Accounts are used for identifying individual users or for identifying the application processes themselves. Sending notification of account modification events to the system administrator and ISSO is one method for mitigating this risk. Such a capability greatly reduces the risk that application accessibility will be negatively affected for extended periods of time and also provides logging that can be used for forensic purposes. To address access requirements, many operating systems can be integrated with enterprise-level authentication/access/auditing mechanisms that meet or exceed access control policy requirements.

Check Content

Verify PIM is in use with email notifications going to the SA and ISSO when privileges are requested.

1. Sign in to the Microsoft Entra admin center as at least an Authentication Policy Administrator.
2. Search for "Microsoft Entra Privileged Identity Management".
3. Navigate to "Management" and select "Microsoft Entra roles".
4. Expand the "Manage" menu and select roles.
5. For each role that is either active or eligible perform the following:
a. Select the role.
b. Navigate to role settings.
c. Under "Send notifications when eligible members activate this role:" Verify the SA and ISSO email addresses are listed under "Additional recipients" for the type "Role activation alert".

If the SA and ISSO are not set up to receive email notification when privileges are requested through PIM, this is a finding.